"You have no idea how much we can f**k with the US," alleged hacker says.

Federal prosecutors have accused a UK man of hacking thousands of computer systems, many of them belonging to the US government, and stealing massive quantities of data that resulted in millions of dollars in damages to victims.

Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK following a lengthy investigation by the US Army, US prosecutors in New Jersey said. According to prosecutors, the attacks date back to at least October 2012. Love and other alleged hackers are said to have breached networks belonging to the Army, the US Missile Defense Agency, NASA, the Environmental Protection Agency, and others, in most cases by exploiting vulnerabilities in SQL databases and the Adobe ColdFusion Web application. The objective of the year-long hacking spree was to disrupt the operations and infrastructure of the US government by stealing large amounts of military data and personally identifying information of government employees and military personnel, a 21-page indictment said.

"You have no idea how much we can fuck with the US government if we wanted to," Love told a hacking colleague in one exchange over Internet relay chat, prosecutors alleged. "This... stuff is really sensitive. It's basically every piece of information you'd need to do full identity theft on any employee or contractor" for the hacked agency.

Further Reading

According to prosecutors, Love used automated scanners to identify vulnerabilities in large ranges of IP addresses. He would then exploit them to inject powerful SQL commands into a site's backend database. He exploited similar types of vulnerabilities in sites that used ColdFusion, the Web application software whose full source code was recently found on a server operated by hackers. The ColdFusion security flaw, which has since been corrected, allowed Love to gain administrator-level access to computer servers without proper login credentials, a separate criminal complaint filed in a Virginia federal court alleged. After breaching the websites, Love allegedly planted backdoor code on the servers that gave him persistent access to the networks so he could return at a later date and steal confidential data.

"Collectively, the hacks described herein substantially impaired the functioning of dozens of computer servers and resulted in millions of dollars of damages to the government victims," the indictment, filed in US District Court in Newark, New Jersey, alleged.

The campaign continued through this month, prosecutors said. They alleged it began no later than October 2, 2012, when Love and his fellow hackers attacked the Engineer R&D website operated by the US Army Corp of Engineers. After exploiting a ColdFusion vulnerability, the hackers obtained a copy of the site's password properties file and exploited it to determine an administrator password for the site.

"Using the stolen administrator's password, the co-conspirators obtained data belonging to the Army Corps, including information regarding the planned demolition and disposal of certain military facilities," prosecutors wrote in the indictment. "The attack was launched from a computer server located in or around Romania, which was leased by defendant Love."

The indictment went on to detail at least nine additional hacks on government and military networks. Other government agencies Love allegedly breached included the Department of Energy, the Department of Health and Human Services, the US Sentencing Commission, and the Regional Computer Forensics Laboratory, according to the criminal complaint filed in Virginia. To cover his tracks, Love allegedly used the Tor privacy service to conceal his IP address and used a series of pseudonyms. He and his colleagues allegedly used pseudonyms on social media sites to publicize the breaches. Despite the effort to remain anonymous, Love allegedly originated at least one attack from an Internet domain that was registered using a PayPal account associated with his lauri.love@gmail.com account.

Love was charged with one count of accessing a US department or agency computer without authorization and one count of conspiracy to do the same. If convicted, he faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense, on each of the two counts.

Information about a US army building demolition? Thats his "massively fuck with the government"?

As terribly incompetent and idiotic as many of the military policies are, he hasn't hacked jack squat to actually compromise the US Army. This article is like the sky is falling for the government, but he has no idea how the network is actually structured. If he breaks THAT, then, well, I'd be quite impressed.

Information about a US army building demolition? Thats his "massively fuck with the government"?

As terribly incompetent and idiotic as many of the military policies are, he hasn't hacked jack squat to actually compromise the US Army. This article is like the sky is falling for the government, but he has no idea how the network is actually structured. If he breaks THAT, then, well, I'd be quite impressed.

"This... stuff is really sensitive. It's basically every piece of information you'd need to do full identity theft on any employee or contractor" for the hacked agency.

And for all of this guy's badassness, in the end, all he's really doing is causing all sorts of anguish and worry for pretty ordinary people who are doing ordinary jobs for the Government rather than unlocking gigantic security scandals or exposing nefarious activities.

What an asshole. Yes they're negligent to have such lax security. Does he think Obama himself mans these websites? This type of exploit exposes personal data of rank and file employees. What a guy. The harm to the government is most likely to data entry clerks & customer service reps.

This reminds me of that script kiddie from a while back when Anonymous was big in the news who was all "good luck finding me, I'm behind seven proxies", and three days later I was reading about his arrest.

This reminds me of that script kiddie from a while back when Anonymous was big in the news who was all "good luck finding me, I'm behind seven proxies", and three days later I was reading about his arrest.

It is best to hack your own computer just to see what kind of trail you leave if you intend to hack a target. (The military branches have mottos that end up being "you fight like you train.") In my case, I only hack my own computers (Back Track linux), just to do a security checks.

I am amazed at the number of people that self host websites, leaving their network really wide open to hackers, just to avoid paying $100 a year for a modest hosted website.

Love allegedly originated at least one attack from an Internet domain that was registered using a PayPal account associated with his lauri.love@gmail.com account.

I find it interesting that these people who are arguably very intelligent don't consider the low-hanging fruit of the paper trail that would identify them.

OpSec is hard to maintain even when you're conscious of it. It sounds simple (and can be), but failures mostly boil down to laziness and people running their mouths to feed their egos.

When you're dealing with the gov't and their huge resources, if you slip up once, it can be game over. I think a lot of these guys end up getting burned by things they did long before they started attacking gov't when they were less paranoid. Ego and the need to publicize what they are doing to earn cred probably burns a lot of them.

"He would then exploit them to inject powerful SQL commands into a site's backend database."

It's amazing to me that SQL injection is still going on. At this point, leaving this vulnerability really should be considered criminal negligence.

Security is hard. If you know how to write software that can't be exploited, please tell the world how.

A far better approach, which is what I prefer, is to make sure the server doesn't contain anything a hacker can use. If something can't get out, then don't store it on a server in the first place. Or use a server that just isn't connected to the internet.

Much in the same way that Jefferson's tree of liberty must be refreshed with the blood of patriots (Snowden, Swartz, Manning), the security of government computer systems appears to require the annual sacrifice of some promising young computer scientist.